Thursday, May 9, 2013

ESET CrackMe! 2013 write-up

As this year's CONFidence is nearly here the guys at ESET created another CrackMe challenge. The first 5 people to solve it received a free ticket for the conference. Unfortunately I was not one of the first 5, but solving the challenge was fun regardless. This is the first time I participated, but I think this year's challenge was not as hard as the previous ones. I read some write-ups from last year and that one seemed much harder. If you are a beginner like me, you may want to try and solve it yourself before you read on.

Anyways, on with the solution.

PEiD

Let's open the downloaded program and see what happens. When you start the application it displays a nice welcome message and it even has a help menu. I tried a random password just for kicks, but it didn't work. Oh, well.

Let's jump into things and open the application in IDA pro. This is what happens:

Okay, this might mean that the file was packed. And indeed the first instruction is pusha, which is suspicious. Better check what packer was used. Let's fire up PEiD.

UPX

UPX it is. Well let's try and unpack it in UPX itself, which has a nifty "-d" flag for this.

Close, but no cigar. We will have to do it by hand.

OllyDump

I recently started attending a sort of University "club" about reverse engineering, which is awesome by the way, and our first homework was doing exactly this by hand. Here is a demo that demonstrates the solution. The trick is that most packers (including UPX) push all the registers onto the stack before the unpacking begins, and when the unpacking is done they pop all of the values back. By placing a hardware breakpoint on one of the pushed values, we can find when they are popped and dump the unpacked process. Another solution in IDA is looking at the graph view, scrolling to the bottom and finding a popa instruction that marks the end of the unpacking.

Since Ollydbg has a really nice OllyDump plugin, we will use that to manually unpack the CrackMe. After starting Olly we immediately find the pusha instruction. Then we press step over once and follow ESP in the dump, just like in the demo.

Then we can put a hardware breakpoint on the value and start execution.

The debugger immediately stops after the popa instruction. We are close now.

We can see a little loop that pushes 0 onto the stack until ESP reaches EAX. And after this is where the magic happens. We jump to 0x0040A97C which is the entry point of the unpacked process. We put a breakpoint on this jump and then step to the entry point. This is when we can use OllyDump. Sweet, but don't close Olly yet!

ImpREC

The dump won't start by itself. Just like in the demo, we need to rebuild the IAT and ImpREC (Import REConstructor) is a great tool for this. We start ImpREC and select the CrackMe process. It loads the process and displays the image base: 0x00400000. With this we can figure out the OEP value. The EIP that we jumped to in Olly was 0x0040A97C. Subtract the image base and we get an OEP (0xA97C).

Then we can just follow the demo and click "Get Imports" and then "Fix Dump". At the end we should have a fixed dump that executes. We can finally start reversing things.

IDA

This time when we load the exe into IDA pro we don't get any warnings and we even have a nice Imports table. Let's look at the entry point first. What we see is a ton of mov instructions that move constants to seemingly random locations. At this point I was really hoping it is not a virtual machine. But looking at the data that is copied closely, we can see that they are mostly letters and spaces. We can press R to see the actual characters and voilà:

Okay this is random. But looking at it again, the locations are random too and the stars are familiar from the welcome screen of the CrackMe. I really wanted to see the assembled memory in one place so I started debugging with a breakpoint at the end of this whole thing. Let's follow this in a hex window.

And this is it. There it is, in cleartext. Let's see if it really works, or it's just a prank. The password spells "BAZINGA!" after all.

It works !It's great, but to me this seemed a bit too easy. I was done with this in about 15 minutes. It's too bad that I only heard about the CrackMe 2 hours after it was tweeted. Anyway, kudos to my friend who did it a minute earlier than me.

For some reason I was convinced that this is just a decoy pasword and started reversing the application a bit more. Apparently it reads the password, then takes the MD5 hash of "BAZINGA!", then takes the MD5 hash of the entered password and compares them. There is a bit of protection when/before the hashing happens. The program checks for various processes and also starts a timer before the hashing. If the time difference is greater than a specified value after the hash is finished it puts the program into an infinite loop.

It's really strange that they put the cleartext password in there and later used MD5. Was this just for obfuscation? I don't know. Anyway, I had fun with this. Thanks to the guys at ESET for creating this CrackMe. I hope you enjoyed this short write-up. If you spot a mistake, please comment.